The overview tab collects information about the alerts triggered over the last 24 hours to give you a snapshot of your network's status and offers you several ways to investigate the events that triggered alerts.
There's a lot you can learn here so we'll explain how to make best use of this information by describing the three areas of this tab:
1. Quick filters
This area breaks down the types of alerts triggered in the last 24 hours and lets you apply filters to other elements in the tab.
Click on any of the bubbles to show the alert timeline for the selected category of alert. Click on one or more of the alert severities on the right to show data for the selected severities. As you apply priority filters to the information, the alert counts displayed in the bubbles are updated to reflect the count of alerts with the selected priority(s). The category and priority filters also apply to the alert timeline table in the Alert analysis area.
The alert categories are:
|Network||All alerts based on firewall, web, proxy or IDS events.|
|Threats||Alerts based on firewall, web, proxy or IDS events that use data from threat intelligence feeds.|
|Access||Alerts based on Active Directory events.|
|Endpoints||Alerts based on your network endpoint devices/machines.|
|Alert Chains||Alerts that are based on other alerts. Learn more.|
|Availability||Alerts that report on system inactivity. There is one for each firewall, web server, proxy, IDS, access, and relay instance.|
Example: Reviewing the highest severity alerts
You want to have a look at the most severe threat alerts that have occurred in the last 24 hours. Click the Threats bubble, then click to select the Critical and High severities. This filter is reflected both in the alert counts in the bubbles and in the alert timeline table below the quick filter.
You can select any alert in the timeline table to further investigate the events that triggered that type of alert.
2. Alert analysis
Get a quick read on the most common alerts over the last 24 hours and analyze the events related to them.
Use the frequency chart (1) to identify patterns in the frequency of each alert over the last 12 hours. Mouse-over an alert name to display the count for each spot in the chart. When Global size is on, the spot sizes are scaled against all others in the chart. Turn this setting off to scale the spots only against other spots for the same alert (row).
The persistent alerts table (2) lists, in descending order, the alerts that have been triggered most frequently over the last 24 hours.
The alert timeline table (3) is a complete list of alerts in the last 24 hours starting with the most recent and the highest priority. The alert category and priority filters also apply to the content displayed in this table. In addition, you can filter by time by clicking and dragging along the timeline to examine the events that occurred during a specific time period.
When you locate an alert that you want to investigate, first click on the arrow at the right side of the alert definition to see the text of the alert. You can also click the alert row to open another table that shows all the events over the last 24 that have triggered the selected alert.
You can search this table or click Raw to open the contents in the search window where you can work with the data as with any other query.
3. Alert investigation
This is a complete list of the alerts ordered first by priority level, then by date. For each alert, key values (like IP addresses or ports) are extracted as actionable parameters that you can click to identify all other alerts that cite the parameter value. The alerts are displayed in the alert timeline table where you can further investigate the events that triggered the alerts.
Example: Tracking a suspicious IP address
You want to investigate suspicious activity associated with a particular IP address. In the Alert list, click the IP address parameter. This immediately updates the quick filter with the count of alerts involving this address and filters the alert timeline to show only events associated with the same type of alert. Select an alert in the timeline table to display the events that triggered this type of alert.
The parameter value is highlighted in all events in which it is cited. To work with these events, you can click Raw to open the table of events in the search window.
Once a parameter for one alert is selected (source IP, as in the example) the list of alerts matching the parameter is shown, so you can procced to investigate. You can add additional filters by clicking the bubbels (you may have alerts with this condition in several bubbles) or/and click the priority pyramid.
Alert state settings
All the alerts in the application have a state assigned that informs you about the condition of the alert. The default state for newly defined alerts is New, but you can always change it to adapt it to the current situation.
Check the state of your alerts in the right part of the Alert List. To change it, just click the state icon and select the required one from the list.
The available alert states are: Without State, Unread, Updated, False Positive, New, Watched, Closed, Reminder, Recovery and AntiFlooding. As said above, new alerts are assigned the New state by default. You can change statuses as needed, or leave the application assign them depending on certain conditions. For example, if the alert is not opened in one hour since its creation, the state changes to Unread; when you open it, the Watched state is assigned.
You can also click the filter icon in the Alert List to filter alerts by state. For instance, it may be useful to show New and Unread alerts, and hide Watched ones. If you do this, alerts that change to the Watched status will be automatically hidden from the list, which might be useful for investigation. Another example is hiding alerts set as False positive.
You can group alerts with the same type and parameters to avoid flooding. Simply click the group iconat the top right corner of the Alert List, and all the alerts with the same parameters will be automatically grouped.
For instance, suppose that the platform is alerting that the IP 10.2.3.4 is trying to perform a DoS attack, or an internal DNS is trying to access several external DNS. You can include the IP in a white list, or handle the DoS by alerting only once. Any of these cases will trigger a lot of alerts that belong to the same type (for example, SecIntSeveralDNS) and are caused by the same user or IP, so you may want to group them to see only a single notification in the list.
In the following capture, we see that the IP address 126.96.36.199 is causing many 4xx web errors.
After clicking the group icon, we can see that there have been 77 alerts related to the mentioned IP addressed causing 4xx web errors in the last 24 hours. This is a good way of reducing the number of alerts shown in the Alert List, but note that alert groups do not show the state of the alerts (since they may have different ones).
To check the alerts of a group, click the group icon in each alert group.